CVE-2026-4730
Stored XSS in Charts Ninja WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| common_ninja | charts_ninja | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into website pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user. This compromises the security and integrity of the website and its users.
Can you explain this vulnerability to me?
The vulnerability exists in the Charts Ninja WordPress plugin, specifically in versions up to and including 2.1.0. It is a Stored Cross-Site Scripting (XSS) flaw that occurs via the 'chartid' shortcode attribute. This happens because the plugin does not properly sanitize or escape input and output for this attribute. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages. These scripts will then execute whenever any user views the infected page.
What immediate steps should I take to mitigate this vulnerability?
The vulnerable plugin "Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website" was temporarily closed on April 28, 2026, pending a full review.
As an immediate mitigation step, you should disable or remove this plugin from your WordPress installation to prevent exploitation of the stored cross-site scripting vulnerability.
Additionally, ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated users with such privileges to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'chartid' shortcode attribute in the Charts Ninja WordPress plugin. Detection typically involves inspecting WordPress pages or posts for malicious script injections in the 'chartid' shortcode.
To detect exploitation attempts or presence of this vulnerability on your system, you can search your WordPress database for suspicious or unexpected script tags or JavaScript code within the content fields that use the 'chartid' shortcode.
Example commands to search for suspicious shortcode usage in the WordPress database (assuming access to the database via command line):
- Use SQL queries to find posts containing the 'chartid' shortcode with potential script tags, e.g.:
- SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[chartid%<script%' OR post_content LIKE '%[chartid%javascript:%';
- Alternatively, grep can be used on exported content or backups to find suspicious shortcode usage:
- grep -r '\[chartid.*<script' /path/to/wordpress/wp-content/
Additionally, monitoring web server logs for unusual requests containing script payloads targeting pages with the 'chartid' shortcode may help detect exploitation attempts.